CVE-2016-3092 & CVE-2013-2186 Apache Commons Fileupload vulnerabilities

05 Aug 2016

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: Apache Wicket 1.5.x, 6.x and 7.x


CVE-2016-3092: A malicious client can send file upload requests that cause the HTTP server using the Apache Commons Fileupload library to become unresponsive, preventing the server from servicing other requests.

This flaw is not exploitable beyond causing the code to loop expending CPU resources.

CVE-2013-2186: The DiskFileItem class in Apache Commons FileUpload allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance.

Since version 7.0.0 Apache Wicket does not embed Apache Commons FileUpload but uses it as a Maven dependency so an application can just update the dependency to version 1.3.2.

Apache Wicket Team